Difference between revisions of "OpenSSL: Ubuntu"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "sumber: https://help.ubuntu.com/community/OpenSSL Introduction This guide is designed to introduce the reader to the Secure Sockets Layer (SSL) application-level protocol...")
 
 
(41 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
 +
==Tentang OpenSSL==
  
 +
Secure Sockets Layer adalah protokol tingkat aplikasi yang dikembangkan oleh Netscape Corporation untuk tujuan mentransmisikan informasi sensitif, seperti detail Kartu Kredit, melalui Internet. SSL bekerja dengan menggunakan kunci pribadi untuk mengenkripsi data yang ditransfer melalui koneksi SSL-enabled, sehingga menggagalkan penyadapan informasi. Penggunaan SSL yang paling populer adalah bersamaan dengan penjelajahan web (menggunakan protokol HTTP), namun banyak aplikasi jaringan dapat memanfaatkan penggunaan SSL. Dengan konvensi, URL yang memerlukan sambungan SSL dimulai dengan https: bukan http :.
  
Introduction
+
OpenSSL adalah penerapan alat SSL yang tangguh dan komersial, dan perpustakaan tujuan umum yang terkait berdasarkan SSLeay, dikembangkan oleh Eric A. Young dan Tim J. Hudson. OpenSSL tersedia sebagai Open Source setara dengan implementasi komersial SSL melalui lisensi bergaya Apache.
  
This guide is designed to introduce the reader to the Secure Sockets Layer (SSL) application-level protocol, and particularly the OpenSSL implementation of SSL. After a brief description of exactly what OpenSSL is, and what it is useful for, the guide will further illustrate the practical usage of OpenSSL in a client-server environment, and provide specific examples of applications which may benefit from OpenSSL. Finally, the guide will lead the user through example procedures required to use OpenSSL with the popular Apache Hyper Text Transport Protocol (HTTP) server for the purpose of serving secured web pages from your Ubuntu computer.
+
==Tentang X.509==
  
Target Audience
+
X.509 adalah spesifikasi untuk sertifikat digital yang diterbitkan oleh International Telecommunications Union - Telecommunication (ITU-T). Ini menentukan informasi dan atribut yang diperlukan untuk identifikasi seseorang atau sistem komputer, dan digunakan untuk pengelolaan yang aman dan distribusi sertifikat yang ditandatangani secara digital melalui jaringan Internet yang aman. OpenSSL paling sering menggunakan sertifikat X.509.
  
To properly implement the practical steps found in this guide, the reader should be a user of Ubuntu who is comfortable with the use of command-line applications, using the Bourne Again SHell (bash) environment, and editing system configuration files with their preferred text editor application. While previous familiarity with Server Sockets Layer (SSL), or the OpenSSL implementation in particular, is not required for this guide, if desired, the reader is advised to pursue further learning from the resources listed in the Resources section of this guide in order to broaden his/her understanding of this powerful security layer.
+
==Penggunaan Praktis OpenSSL==
  
About OpenSSL
+
===Install OpenSSL Toolkit===
  
Secure Sockets Layer is an application-level protocol which was developed by the Netscape Corporation for the purpose of transmitting sensitive information, such as Credit Card details, via the Internet. SSL works by using a private key to encrypt data transferred over the SSL-enabled connection, thus thwarting eavesdropping of the information. The most popular use of SSL is in conjunction with web browsing (using the HTTP protocol), but many network applications can benefit from using SSL. By convention, URLs that require an SSL connection start with https: instead of http:.
+
Bisa menggunakan perintah
  
OpenSSL is a robust, commercial-grade implementation of SSL tools, and related general purpose library based upon SSLeay, developed by Eric A. Young and Tim J. Hudson. OpenSSL is available as an Open Source equivalent to commercial implementations of SSL via an Apache-style license.
+
apt install openssl
  
About X.509
+
Biasanya sudah terinstall di distribusi Ubuntu
  
X.509 is a specification for digital certificates published by the International Telecommunications Union - Telecommunication (ITU-T). It specifies information and attributes required for the identification of a person or a computer system, and is used for secure management and distribution of digitally signed certificates across secure Internet networks. OpenSSL most commonly uses X.509 certificates.
+
===Install OpenSSL Library===
  
Practical OpenSSL Usage
+
Cek libssl yang ada,
  
Installing OpenSSL Toolkit
+
apt-cache search libssl | grep SSL
 +
apt-cache search libssl
  
To install the OpenSSL binary toolkit, install the following packages openssl (see InstallingSoftware).
+
Keluar kira-kira
  
Installing OpenSSL Library
+
libssl-dev - Secure Sockets Layer toolkit - development files
 +
libssl-doc - Secure Sockets Layer toolkit - development documentation
 +
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 +
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 +
cl-plus-ssl - Common Lisp interface to OpenSSL
 +
libssl-ocaml - OCaml bindings for OpenSSL (runtime)
 +
libssl-ocaml-dev - OCaml bindings for OpenSSL
 +
libsslcommon2 - enterprise messaging system - common SSL libraries
 +
libsslcommon2-dev - enterprise messaging system - common SSL development files
  
To install the OpenSSL general-purpose library, first determine the applicable version of the library available for your Ubuntu computer with the following command issued at a terminal prompt:
+
Install misalnya,
  
apt-cache search libssl | grep SSL
+
locale-gen id_ID.UTF-8
 +
apt install libsslcommon2 libsslcommon2-dev libssl-dev libssl1.0.0 libssl1.0.0-dbg
  
You should observe output from the command similar to the following:
+
Juga install ca-certificate
  
libssl0.9.6 - SSL shared libraries (old version)
+
apt install ca-certificates
libssl-dev - SSL development libraries, header files and documentation
 
libssl0.9.7 - SSL shared libraries
 
  
In the above example, you would most likely want to install the current OpenSSL library, which appears in the output as libssl0.9.7 (like sudo apt-get install libssl0.9.7. Install the following packages libssl0.9.7 (see InstallingSoftware). You may also need to install ca-certificates.
+
Jika di perlukan untuk java & mono, bisa di install juga
  
Installing OpenSSL Development Library
+
apt install ca-certificates-java
 +
apt install ca-certificates-mono
  
In order to build software which requires the OpenSSL general-purpose library, you must first install the development instance of the OpenSSL library. Install the following packages libssl-dev (see InstallingSoftware).
+
==Install OpenSSL Development Library==
  
Basic OpenSSL Commands
+
Jika dibutuhkan untuk membuat OpenSSL library, kita perlu menginstalasi
  
The following section of the guide presents some of the more common basic commands, and parameters to commands which are part of the OpenSSL toolkit. For additional information, read the various OpenSSL system manual pages with the man command, and refer to the information presented in the Resources section of this guide.
+
apt install libssl-dev
  
Determine installed OpenSSL version:
+
==Basic OpenSSL Command==
  
openssl version
+
Bagian ini akan membahas perintah OpenSSL dasar.
 +
Untuk mengetahui OpenSSL versi yang di instalasi,
  
List of available OpenSSL sub-commands:
+
openssl version
  
openssl help
+
Untuk melihat sub-command OpenSSL:
  
Get additional help information on OpenSSL sub-commands by using the openssl command followed by the sub-command, and the -h switch. For example, to get additional information on the openssl enc sub-command:
+
openssl help
  
openssl -h enc
+
Untuk mengetahui perintah sub-command, dapat digunakan (misalnya untuk perintah enc),
  
List all available cipher algorithms:
+
openssl -h enc
  
openssl ciphers -v
+
Untuk melihat semua algoritma cipher yang ada:
  
You may benchmark your computer's speed with OpenSSL, measuring how many bytes per second can be processed for each algorithm, and the times needed for sign/verify cycles by using the following command:
+
openssl ciphers -v
  
openssl speed
+
Untuk melakukan benchmark kecepatan komputer dengan OpenSSL,
  
SSL Certificates
+
openssl speed
  
The following sections of this guide will introduce the concepts involved in the generation and use of SSL certificates, both the self-signed variety, and those signed by a recognized certificate authority for use with a server application supporting SSL, and the use of X.509 certificates in client applications.
+
==SSL Certificate==
  
SSL Certificates for Server Use
+
Bagian berikut dari panduan ini akan memperkenalkan konsep yang terlibat dalam pembuatan dan penggunaan sertifikat SSL, baik varietas yang ditandatangani sendiri, dan yang ditandatangani oleh otoritas sertifikat yang diakui untuk digunakan dengan aplikasi server yang mendukung SSL, dan penggunaan X. 509 sertifikat dalam aplikasi klien
  
Once you have properly generated an X.509-compliant SSL certificate, you may either elect to sign the certificate yourself, by generating a Certificate Authority (CA), or you may opt to have a globally recognized Certificate Authority sign the certificate. When the certificate is signed, it is then ready to be used with the OpenSSL toolkit, or the library to enable encrypted SSL connections to a Lightweight Directory Access Protocol, (LDAP) or Hyper Text Transport Protocol (HTTP) server, for example. This section of the guide describes the certificate generation, and signing process for both self-signed, and recognized CA-signed certificates.
+
==SSL Certificate untuk menggunaan Server==
  
Generating and Signing Self-Signed Certificates
+
Setelah anda telah menghasilkan sertifikat SSL yang sesuai dengan X.509, anda dapat memilih untuk menandatangani sertifikat sendiri, dengan membuat Otoritas Sertifikat (Certificate Authority / CA), atau anda dapat memilih untuk memiliki Otoritas Sertifikat yang diakui secara global untuk menandatangani sertifikat. Saat sertifikat ditandatangani, maka sertifikat siap digunakan dengan toolkit OpenSSL, atau library untuk mengaktifkan koneksi SSL terenkripsi ke server, misalnya, Lightweight Directory Access Protoco (LDAP) atau Hyper Text Transport Protocol (HTTP). Bagian panduan ini menjelaskan tentang generasi sertifikat, dan proses penandatanganan untuk sertifikat tanda tangan yang ditandatangani sendiri, dan sertifikat CA yang telah ditandatangani.
  
Self-signed certificates have a major advantage in that they are completely free to use, and they may be generated, signed, and used on an as-needed basis. Self-signed certificates are great for use in closed-lab environments or for testing purposes. One of the drawbacks of using self-signed certificates, however, is that warnings will typically be issued by a user's Web browser, and other applications, upon accessing an SSL-secured server that uses a self-signed certificate. By default, client applications (e.g., Firefox) will suppress such warnings for certificates that are signed using only a globally-recognized and trusted Certificate Authority, but warnings may also be squelched by importing a server's root certificate into client applications; a relevant demonstration is shown later in this guide. Using self-signed certificates in a publicly-accessible, production environment is not recommended due to the implicit trust issues arising from these warnings, in addition to the potential confusion caused to users.
+
==Generating dan Signing Self-Signed Certificate==
  
IconsPage/note.png NOTE: You must obtain a certificate signed by a recognized Certificate Authority in order to establish a commercial site, e.g., for conducting "e-commerce".
+
Self-signed Sertifikat memiliki keuntungan besar karena mereka benar-benar bebas untuk menggunakannya, dan dapat dihasilkan, ditandatangani, dan digunakan sesuai kebutuhan. Sertifikat self-signed sangat bagus untuk digunakan di lingkungan laboratorium tertutup atau untuk tujuan pengujian. Salah satu kelemahan menggunakan sertifikat yang ditandatangani sendiri, bagaimanapun, adalah bahwa peringatan biasanya akan dikeluarkan oleh browser Web pengguna, dan aplikasi lainnya, setelah mengakses server SSL-secure yang menggunakan sertifikat yang ditandatangani sendiri. Secara default, aplikasi klien (mis., Firefox) akan menekan peringatan tersebut untuk sertifikat yang ditandatangani hanya dengan menggunakan Otoritas Sertifikat yang diakui secara global dan terpercaya, namun peringatan juga dapat dimatikan dengan mengimpor sertifikat akar server ke aplikasi klien; Demonstrasi yang relevan ditunjukkan nanti dalam panduan ini. Menggunakan sertifikat yang ditandatangani sendiri di lingkungan produksi yang dapat diakses oleh publik tidak disarankan karena adanya masalah kepercayaan implisit yang timbul dari peringatan ini, selain potensi kebingungan pada pengguna.
  
Provided you've installed the OpenSSL toolkit previously, or per instructions above, the generation of X.509 SSL certificates is quite simple. For self-signed certificates, you must first establish a Certificate Authority (CA) by following the steps below:
+
'''CATATAN:''' Anda harus mendapatkan sertifikat yang ditandatangani oleh Otoritas Sertifikat yang diakui untuk membuat situs komersial, mis., Untuk melakukan "e-commerce".
  
Creating the Certificate Authority
+
Jika anda telah menginstal toolkit OpenSSL sebelumnya, atau sesuai petunjuk di atas, generasi sertifikat SSL X.509 cukup sederhana. Untuk sertifikat yang ditandatangani sendiri, anda harus terlebih dahulu membuat Otoritas Sertifikat (Certificate Authority / CA) dengan mengikuti langkah-langkah di bawah ini:
  
First, create an initial working environment, for example within your home directory by issuing the following command from a terminal prompt:
+
===Membuat Certificate Authority===
  
cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA
+
Pertama, buat lingkungan kerja awal, misalnya di dalam direktori home anda dengan mengeluarkan perintah berikut dari prompt terminal:
  
The above command will place you in a newly-created subdirectory of your home directory named myCA, and within this subdirectory, you should have two additional subdirectories named signedcerts and private.
+
cd
 +
mkdir -p myCA/signedcerts
 +
mkdir myCA/private
 +
cd myCA
  
Within this initial working environment, the significance of the subdirectories, and their contents is as follows:
+
Fungsi dari masing-masing directory adalah sebagai berikut,
  
    ~/myCA : contains CA certificate, certificates database, generated certificates, keys, and requests
+
~/myCA : berisi CA certificate, certificate database, generated certificate, key, dan request
 +
~/myCA/signedcerts : berisi copy dari setiap signed certificate
 +
~/myCA/private : berisi private key
  
    ~/myCA/signedcerts : contains copies of each signed certificate
+
Selanjutnya buat initial certificate database di ~/myCA subdirectory dengan perintah berikut,
  
    ~/myCA/private : contains the private key
+
cd ~/myCA
 +
echo '01' > serial  && touch index.txt
  
Next, create an initial certificate database in the ~/myCA subdirectory with the following command at a terminal prompt:
+
Selanjutnya buat caconfig.cnf yang cocok untuk pembuatan CA certificate. Edit,
  
echo '01' > serial && touch index.txt
+
  sudo vi ~/myCA/caconfig.cnf
 +
sudo nano ~/myCA/caconfig.cnf
  
Now create an initial caconfig.cnf file suitable for the creation of CA certificates. Using your favorite editor, edit the file ~/myCA/caconfig.cnf, and insert the following content into the file:
+
Isi dengan
  
sudo nano ~/myCA/caconfig.cnf
+
# My sample caconfig.cnf file.
 +
#
 +
# Default configuration to use when one is not provided on the command line.
 +
#
 +
[ ca ]
 +
default_ca      = local_ca
 +
#
 +
#
 +
# Default location of directories and files needed to generate certificates.
 +
#
 +
[ local_ca ]
 +
dir            = /home/<username>/myCA
 +
certificate    = $dir/cacert.pem
 +
database        = $dir/index.txt
 +
new_certs_dir  = $dir/signedcerts
 +
private_key    = $dir/private/cakey.pem
 +
serial          = $dir/serial
 +
#     
 +
#
 +
# Default expiration and encryption policies for certificates.
 +
#
 +
default_crl_days        = 365
 +
default_days            = 1825
 +
default_md              = sha1
 +
#     
 +
policy          = local_ca_policy
 +
x509_extensions = local_ca_extensions
 +
#
 +
#
 +
# Copy extensions specified in the certificate request
 +
#
 +
copy_extensions = copy
 +
#     
 +
#
 +
# Default policy to use when generating server certificates.  The following
 +
# fields must be defined in the server certificate.
 +
#
 +
[ local_ca_policy ]
 +
commonName              = supplied
 +
stateOrProvinceName    = supplied
 +
countryName            = supplied
 +
emailAddress            = supplied
 +
organizationName        = supplied
 +
organizationalUnitName  = supplied
 +
#     
 +
#
 +
# x509 extensions to use when generating server certificates.
 +
#
 +
[ local_ca_extensions ]
 +
basicConstraints        = CA:false
 +
#     
 +
#
 +
# The default root certificate generation policy.
 +
#
 +
[ req ]
 +
default_bits    = 2048
 +
default_keyfile = /home/<username>/myCA/private/cakey.pem
 +
default_md      = sha1
 +
#     
 +
prompt                  = no
 +
distinguished_name      = root_ca_distinguished_name
 +
x509_extensions        = root_ca_extensions
 +
#
 +
#
 +
# Root Certificate Authority distinguished name.  Change these fields to match
 +
# your local environment!
 +
#
 +
[ root_ca_distinguished_name ]
 +
commonName              = MyOwn Root Certificate Authority
 +
stateOrProvinceName    = NC
 +
countryName            = US
 +
emailAddress            = root@tradeshowhell.com
 +
organizationName        = Trade Show Hell
 +
organizationalUnitName  = IT Department
 +
#     
 +
[ root_ca_extensions ]
 +
basicConstraints        = CA:true
  
# My sample caconfig.cnf file.
+
'''PENTING:'''
#
+
* Edit /home/<username>/ di bawah [ local_ca ] and [ req ] sesuai dengan username anda.
# Default configuration to use when one is not provided on the command line.
+
* Ubah commonName, stateOrProvinceName countryName dll di bawah [ root_ca_distinguished_name ] sesuai dengan kondisi anda.
#
+
* Untuk lebih jelasnya, baca2
[ ca ]
 
default_ca      = local_ca
 
#
 
#
 
# Default location of directories and files needed to generate certificates.
 
#
 
[ local_ca ]
 
dir            = /home/<username>/myCA
 
certificate    = $dir/cacert.pem
 
database        = $dir/index.txt
 
new_certs_dir  = $dir/signedcerts
 
private_key    = $dir/private/cakey.pem
 
serial          = $dir/serial
 
#     
 
#
 
# Default expiration and encryption policies for certificates.
 
#
 
default_crl_days        = 365
 
default_days            = 1825
 
default_md              = sha1
 
#     
 
policy          = local_ca_policy
 
x509_extensions = local_ca_extensions
 
#
 
#
 
# Copy extensions specified in the certificate request
 
#
 
copy_extensions = copy
 
#     
 
#
 
# Default policy to use when generating server certificates.  The following
 
# fields must be defined in the server certificate.
 
#
 
[ local_ca_policy ]
 
commonName              = supplied
 
stateOrProvinceName    = supplied
 
countryName            = supplied
 
emailAddress            = supplied
 
organizationName        = supplied
 
organizationalUnitName  = supplied
 
#     
 
#
 
# x509 extensions to use when generating server certificates.
 
#
 
[ local_ca_extensions ]
 
basicConstraints        = CA:false
 
#     
 
#
 
# The default root certificate generation policy.
 
#
 
[ req ]
 
default_bits    = 2048
 
default_keyfile = /home/<username>/myCA/private/cakey.pem
 
default_md      = sha1
 
#     
 
prompt                  = no
 
distinguished_name      = root_ca_distinguished_name
 
x509_extensions        = root_ca_extensions
 
#
 
#
 
# Root Certificate Authority distinguished name. Change these fields to match
 
# your local environment!
 
#
 
[ root_ca_distinguished_name ]
 
commonName             = MyOwn Root Certificate Authority
 
stateOrProvinceName     = NC
 
countryName             = US
 
emailAddress            = root@tradeshowhell.com
 
organizationName        = Trade Show Hell
 
organizationalUnitName  = IT Department
 
#     
 
[ root_ca_extensions ]
 
basicConstraints        = CA:true
 
  
IconsPage/warning.png IMPORTANT: Make sure to adjust the obvious site-specific details in the file, such as the two instances of /home/<username>/ under [ local_ca ] and [ req ]. Also change commonName, stateOrProvinceName countryName etc under [ root_ca_distinguished_name ] to personalize for your environment. For more information on the directives contained within this configuration file, use the man config command.
+
man config
  
When you've edited the file to match your environment, save the file as ~/myCA/caconfig.cnf.
+
* Setelah selesai simpan di ~/myCA/caconfig.cnf.
  
Next, you need to generate the Certificate Authority Root Certificate and Key, by issuing a few commands. First, do this:
+
Untuk mulai membuat Certificate Authority Root Certificate dan Key, lakukan ini pertama kali:
  
export OPENSSL_CONF=~/myCA/caconfig.cnf
+
export OPENSSL_CONF=~/myCA/caconfig.cnf
  
The previous command sets an environment variable, OPENSSL_CONF, which forces the openssl tool to look for a configuration file in an alternative location (in this case, ~/myCA/caconfig.cnf).
+
Buat CA, dengan perintah
  
Now, generate the CA certificate and key with the following command:
+
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
 
 
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
 
  
 
You should be prompted for a passphrase, and see output similar to this:
 
You should be prompted for a passphrase, and see output similar to this:
  
Generating a 2048 bit RSA private key
+
Generating a 2048 bit RSA private key
.................................+++
+
............................................................................................+++
.................................................................................................+++
+
...........+++
writing new private key to '/home/bshumate/myCA/private/cakey.pem'
+
writing new private key to '/home/onno/myCA/private/cakey.pem'
Enter PEM pass phrase:
+
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
+
Verifying - Enter PEM pass phrase:
-----
+
-----
  
Do not forget the passphrase used with the command above! You'll need it every time you want to generate and sign a new server or client certificate!
+
Jalan sampai lupa pass phrase yang digunakan! Kita akan membutuhkannya untuk men-generate dan sign server / client certificate!
  
The above process will create a self-signed certificate using PEM format and RSA public/private key encryption. The certificate will be valid for 1825 days. The location, and purpose of the resultant files is as follows:
+
Proses di atas akan membuat self-signed certificate menggunakan PEM format dan RSA public/private key encryption. Certificate akan valid untuk 1825 hari. Lokasi file yang dihasilkan adalah sebagai berikut,
  
    ~/myCA/cacert.pem : CA public certificate
+
~/myCA/cacert.pem : CA public certificate
 +
~/myCA/private/cakey.pem : CA private key
  
    ~/myCA/private/cakey.pem : CA private key
+
===Optional Step===
  
Optional Step
+
Buang semua certificate dan hanya simpan bagian -CERTIFICATE- untuk membuat crt
  
Strip the certificate from all its text to keep only the -CERTIFICATE- section to create a crt
+
openssl x509 -in cacert.pem -out cacert.crt
  
openssl x509 -in cacert.pem -out cacert.crt
+
===Membuat Self-Signed Server Certificate===
  
Creating a Self-Signed Server Certificate
+
Setelah anda memiliki Certificate Authority yang dikonfigurasi, anda dapat menggunakannya untuk menandatangani sertifikat yang ditandatangani sendiri. Sebelum memulai langkah-langkah di bawah ini, anda mungkin ingin mengenkripsi kunci privat sertifikat dengan frasa sandi. Keuntungan mengenkripsi kunci dengan passphrase termasuk perlindungan sertifikat jika dicuri.
  
Now that you have a Certificate Authority configured, you may use it to sign self-signed certificates. Prior to beginning the steps below, you may wish to encrypt the certificate's private key with a passphrase. The advantages of encrypting the key with a passphrase include protection of the certificate in the event it is stolen.
+
Sertifikat tidak dapat digunakan dengan aplikasi berkemampuan SSL tanpa memasukkan frasa sandi setiap kali aplikasi SSL diaktifkan. Kondisi ini, sementara yang paling aman, dapat menimbulkan masalah: Jika server harus dijalankan secara unattended seperti saat komputer restart, maka tidak ada yang akan tersedia untuk memasukkan frasa sandi, dan selanjutnya server tidak akan memulai . Salah satu cara untuk menghilangkan kondisi ini melibatkan trade-off dalam keamanan: Kunci dapat didekripsi, untuk menghapus kebutuhan passphrase; Dengan demikian, aplikasi yang mengaktifkan SSL akan dimulai secara otomatis, tanpa perlu memasukkan frasa sandi.
  
The certificate cannot be used with SSL-enabled applications without entering the passphrase every time the SSL-enabled application is started. This condition, while being most secure, can present a problem: If the server must be started in an unattended manner as in the case of a computer restart, then no one will be available to enter the passphrase, and subsequently the server will not start. One way to eliminate this condition involves a trade-off in security: The key may be decrypted, to remove the passphrase necessity; thus SSL-enabled applications will start automatically, without a need for you to enter a passphrase.
+
Untuk benar-benar menghasilkan sertifikat yang ditandatangani sendiri untuk digunakan dengan aplikasi SSL, ikuti proses ini:
  
To actually generate a self-signed certificate for use with an SSL application, follow this process:
+
Buat server configuration file, dengan mengedit
  
Create the server configuration file, by editing ~/myCA/exampleserver.cnf with your favorite text editor. Add this example content:
+
vi ~/myCA/exampleserver.cnf
 +
nano ~/myCA/exampleserver.cnf
  
#
+
Tambahkan content berikut,
# exampleserver.cnf
 
#
 
  
[ req ]
+
#
prompt                  = no
+
# exampleserver.cnf
distinguished_name      = server_distinguished_name
+
#
req_extensions          = v3_req
+
 +
[ req ]
 +
prompt                  = no
 +
distinguished_name      = server_distinguished_name
 +
req_extensions          = v3_req
 +
 +
[ server_distinguished_name ]
 +
commonName              = tradeshowhell.com
 +
stateOrProvinceName    = NC
 +
countryName            = US
 +
emailAddress            = root@tradeshowhell.com
 +
organizationName        = My Organization Name
 +
organizationalUnitName  = Subunit of My Large Organization
 +
 +
[ v3_req ]
 +
basicConstraints        = CA:FALSE
 +
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
 +
subjectAltName          = @alt_names
 +
 +
[ alt_names ]
 +
DNS.0                  = tradeshowhell.com
 +
DNS.1                  = alt.tradeshowhell.com
  
[ server_distinguished_name ]
 
commonName              = tradeshowhell.com
 
stateOrProvinceName    = NC
 
countryName            = US
 
emailAddress            = root@tradeshowhell.com
 
organizationName        = My Organization Name
 
organizationalUnitName  = Subunit of My Large Organization
 
  
[ v3_req ]
+
Pastikan ubah nilai yang ada di bagian server_distinguished_name terutama commonName.
basicConstraints        = CA:FALSE
+
Nilai commonName harus persis sama dengan hostname, atau CNAME mesin yang akan di beri key.
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+
Jika commonName tidak cocok dengan hostname yang dimaksud, maka error host / certificate mismatch akan muncul di aplikasi client saat client berusaha akses ke server.
subjectAltName          = @alt_names
 
  
[ alt_names ]
+
Setelah file di edit, simpan di  ~/myCA/exampleserver.cnf.
DNS.0                  = tradeshowhell.com
+
Buat server certificate, dan key dengan perintah berikut,
DNS.1                  = alt.tradeshowhell.com
 
  
Be sure to change the values under server_distinguished_name especially the commonName value. The commonName value must match the host name, or CNAME for the host you wish to use the key for. If the commonName does not match the intended hostname, then host / certificate mismatch errors will appear in the client applications of clients attempting to access the server.
+
export OPENSSL_CONF=~/myCA/exampleserver.cnf
  
Once you've edited the file appropriately, save it as ~/myCA/exampleserver.cnf. Generate the server certificate, and key with the following commands:
+
Perhatikan nilai OPENSSL_CONF di ubah ke ~/myCA/exampleserver.cnf.
 +
Buat certificate, dan key:
  
export OPENSSL_CONF=~/myCA/exampleserver.cnf
+
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
 
 
The previous command sets an environment variable OPENSSL_CONF which forces the openssl tool to look for a configuration file in an alternative location (in this case, ~/myCA/exampleserver.cnf).
 
 
 
Now generate the certificate, and key:
 
 
 
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
 
  
 
You should be prompted for a passphrase, and see output similar to this:
 
You should be prompted for a passphrase, and see output similar to this:
  
Generating a 1024 bit RSA private key
+
Generating a 1024 bit RSA private key
...++++++
+
....................................................++++++
...............++++++
+
...............................++++++
writing new private key to 'tempkey.pem'
+
writing new private key to 'tempkey.pem'
Enter PEM pass phrase:
+
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
+
Verifying - Enter PEM pass phrase:
-----
+
-----
 
 
Don't forget the passphrase!
 
 
 
Next, you may translate the temporary private key into an unencrypted key by using the following command:
 
 
 
openssl rsa < tempkey.pem > server_key.pem
 
 
 
You should be prompted for the passphrase used above, and see the following output:
 
 
 
Enter pass phrase:
 
writing RSA key
 
 
 
If you wish to leave the key encrypted with a passphrase, simply rename the temporary key using the following command, instead of following the step above:
 
 
 
mv tempkey.pem server_key.pem
 
 
 
IconsPage/tip.png Remember: If you use a server key encrypted with a passphrase, the passphrase will have to be entered each time the server application using the encrypted key is started. This means the server application will not start unless someone, or something enters the key.
 
 
 
Now you need to sign the server certificate with the Certificate Authority (CA) key using these commands:
 
 
 
export OPENSSL_CONF=~/myCA/caconfig.cnf
 
 
 
The previous command modifies the environment variable OPENSSL_CONF which forces the openssl tool to look for a configuration file in an alternative location (in this case, ~/myCA/caconfig.cnf to switch back to the CA configuration).
 
 
 
Then sign the certificate as follows:
 
 
 
openssl ca -in tempreq.pem -out server_crt.pem
 
 
 
You will be prompted for the passphrase of the CA key as created in the Certificate Authority setup from above. Enter this passphrase at the prompt, and you will then be prompted to confirm the information in the exampleserver.cnf, and finally asked to confirm signing the certificate. Output should be similar to this:
 
 
 
Using configuration from /home/bshumate/myCA/caconfig.cnf
 
Enter pass phrase for /home/bshumate/myCA/private/cakey.pem:
 
Check that the request matches the signature
 
Signature ok
 
The Subject's Distinguished Name is as follows
 
commonName            :PRINTABLE:'tradeshowhell.com'
 
stateOrProvinceName  :PRINTABLE:'NC'
 
countryName          :PRINTABLE:'US'
 
emailAddress          :IA5STRING:'root@tradeshowhell.com'
 
organizationName      :PRINTABLE:'Trade Show Hell'
 
organizationalUnitName:PRINTABLE:'Black Ops'
 
Certificate is to be certified until Jan  4 21:50:08 2011 GMT (1825 days)
 
Sign the certificate? [y/n]:y
 
 
 
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
 
Write out database with 1 new entries
 
Data Base Updated
 
 
 
Remove the temporary certificate, and key files with the following command:
 
 
 
rm -f tempkey.pem && rm -f tempreq.pem
 
 
 
Congratulations! You now have a self-signed server application certificate, and key pair:
 
 
 
    server_crt.pem : Server application certificate file
 
 
 
    server_key.pem : Server application key file
 
 
 
Use the documentation provided with the server application you wish to use the certificate, and key for in order to properly use it. See the Configuring Apache for SSL Support section below for an example usage.
 
 
 
Optional Step for Certain Server Applications
 
 
 
Some server applications, such as the Courier IMAP mail server application require that the unencrypted private key be prepended to the server certificate. To accomplish this, simply enter the following commands:
 
 
 
cat server_key.pem server_crt.pem > hold.pem
 
mv      hold.pem server_crt.pem
 
chmod  400      server_crt.pem
 
 
 
Converting X.509 Certificates to PKCS#12 for Client Applications
 
 
 
If you wish to generate PKCS#12 certificates from your server's Root CA X.509 certificate for client use, you will need to use the following process on the particular server certificate, and key pair you desire to export a client certificate for:
 
 
 
Create a single file containing both the certificate, and key with the following command:
 
 
 
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
 
 
 
Then, convert this certificate / key combination file into the PKCS#12 certificate with the following command:
 
 
 
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for Whatever"
 
 
 
You will be prompted for an Export password, which you may use, or just leave blank.
 
  
The resultant mycert.pfx file may now be imported into applications such as Web Browsers, and E-Mail clients. Since this certificate represents the Root CA certificate of your server, all subsequent server-level certificates signed by the CA certificate will also be automatically accepted by the client application which installs this PKCS#12 version of the certificate.
+
Jangan sampai lupa passphrase!
  
Generating Certificate for Signing by Recognized CA
+
Selanjutnya, convert temporary private key ke unencrypted key menggunakan perintah berikut,
  
In order to run a production server which will engage in commercial activity, such as "e-commerce", it is required to generate a certificate, and have it signed by a recognized Certificate Authority (CA) such as VeriSign. The process for generating a certificate request, and obtaining a certificate signed by a recognized CA can be difficult. You must complete all requisite "paperwork" prior to creating a certificate request, and ensure all required information is accurate.
+
openssl rsa < tempkey.pem > server_key.pem
  
Assuming you do not wish a passphrase-encrypted key, enter the following command to generate the private key, and certificate request:
+
Anda akan ditanya passphrase seperti yang digunakan di atas,
  
openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
+
Enter pass phrase:
 +
writing RSA key
  
If you already have a key you wish to use, then use the following command instead:
+
Jika anda ingin agar key tetap di enkripsi dengan passphrase, silahkan rename temporary key menggunakan perintah berikut,
  
openssl req -new -key mykey.pem -out myreq.pem
+
mv tempkey.pem server_key.pem
  
You may wish to verify the signature, and information contained in the certificate request. Verify the signature with this command:
+
'''PERHATIAN:''' Jika kita menggunakan server key yang di enkripsi dengan password, password harus di harus dimasukan setiap kali server yang menggunakan key yang terenkripsi ini di jalankan. Ini berarti aplikasi server tidak akan jalan kecuali seseorang, atau sesuatu / ada script yang memasukan password dari key tersebut.
  
openssl req -in myreq.pem -noout -verify -key mykey.pem
+
Selanjutnya, kita perlu menanda tangan server certificate dengan Certificate Authority (CA) key menggunakan perintah berikut:
  
and verify the information with this command:
+
export OPENSSL_CONF=~/myCA/caconfig.cnf
  
openssl req -in myreq.pem -noout -text
+
Kita mengubah konfigurasi agar kembali ke ~/myCA/caconfig.cnf karena kita akan berfungsi sebagai CA.
 +
Tanda tangan certificate sebagai berikut,
  
The next steps typically involve pasting the content of the certificate request file into the CA's signup form, and awaiting the certificate. Also, you should safeguard the key file, as it will be required to use the certificate you receive from the CA.
+
openssl ca -in tempreq.pem -out server_crt.pem
  
Using PKCS#12 Certificates in Client Applications
+
Anda akan ditanyakan passphrase dari CA key, masukan passphrase tersebut, anda di minta untuk mengkonfirmasi informasi yang ada di exampleserver.cnf, dan terakhir konfirmasi untuk menanda tangani certificate. Outputnya kira-kira sebagai berikut,
  
This section of the guide explains using PKCS#12 certificates for SSL connections from the client perspective, and demonstrates the process of importing certificates into the Firefox Web Browser applications, and a couple of the more popular E-Mail clients.
+
Using configuration from /home/onno/myCA/caconfig.cnf
 +
Enter pass phrase for /home/onno/myCA/private/cakey.pem:
 +
Check that the request matches the signature
 +
Signature ok
 +
The Subject's Distinguished Name is as follows
 +
commonName            :ASN.1 12:'tradeshowhell.com'
 +
stateOrProvinceName  :ASN.1 12:'NC'
 +
countryName          :PRINTABLE:'US'
 +
emailAddress          :IA5STRING:'root@tradeshowhell.com'
 +
organizationName      :ASN.1 12:'My Organization Name'
 +
organizationalUnitName:ASN.1 12:'Subunit of My Large Organization'
 +
Certificate is to be certified until Jun 10 01:03:36 2022 GMT (1825 days)
 +
Sign the certificate? [y/n]:y
 +
 
 +
 +
1 out of 1 certificate requests certified, commit? [y/n]y
 +
Write out database with 1 new entries
 +
Data Base Updated
  
Importation of a root certificate into such applications enables a trusted SSL-encrypted connection to the server from whence the certificate came, free of nagging messages about the certificate being self-signed, and so on.
+
Remove / buang temporary certificate, dan key menggunakan perintah berikut,
  
Importing a Certificate into Mozilla Firefox
+
cd ~/myCA/
 +
rm -f tempkey.pem
 +
rm -f tempreq.pem
  
Importation of a PKCS#12 certificate into the Mozilla Firefox Web Browser application is very simple:
+
Selamat! Anda sekarang sudah mempunyai self-signed server application certificate, dan private key pasangannya:
  
    From within Firefox, click Edit > Preferences
+
server_crt.pem : Server application certificate file
 +
server_key.pem : Server application key file
  
    Click the Advanced icon
+
==Optional Step untuk Certain Server Application==
  
    Click the View Certificates button
+
Beberapa aplikasi server, seperti Courier IMAP mail server application membutuhkan  unencrypted private key di tambahkan pada server certificate. Ini dapat dilakukan menggunakan perintah,
  
    Click the Import button
+
cat server_key.pem server_crt.pem > hold.pem
 +
mv      hold.pem server_crt.pem
 +
chmod  400      server_crt.pem
  
    Browse to the location of the certificate file, which is typically a .pfx file type
+
==Mengubah X.509 Certificate ke PKCS#12 untuk aplikasi Client==
  
    Highlight the certificate file, and click the Open button
+
Jika anda bermaksud untuk membuat PKCS#12 certificate dari server Root CA X.509 certificate untuk penggunaan client, anda perlu melakukan proses berikut untuk server certificate dan pasangan kunci tersebut, untuk export sebuah client certificate.
  
    You may be prompted to enter Firefox's Master Password at this point, or to set an initial Master Password. Enter the current, or net password as required, confirm it, and click OK
+
Membuat sebuah file berisi kedua-nya certificate dan key dengan perintah berikut,
  
    You will then be prompted to enter the certificate's Export password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK
+
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
    A message will appear advising that Firefox has "Successfully restored your security certificate(s) and private key(s)"
 
  
    Click OK
+
Kemudian, konversikan file kombinasi certificate / key ke PKCS#12 certificate menggunakan perintah,
    You have successfully imported the server's client PKCS#12 certificate into Firefox
 
  
Importing a Certificate into Evolution
+
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for Whatever"
  
Importation of a PKCS#12 certificate into the Evolution E-Mail client couldn't be simpler:
+
Anda akan ditanyakan Export password, yang bisa anda isi, atau biarkan kosong.
  
    From within Evolution, click Edit > Preferences
+
File mycert.pfx yang dihasilkan sekarang dapat diimpor ke aplikasi seperti Web Browsers, dan klien E-Mail. Karena sertifikat ini mewakili sertifikat Root CA dari server anda, semua sertifikat tingkat server berikutnya yang ditandatangani oleh sertifikat CA juga akan diterima secara otomatis oleh aplikasi klien yang menginstal sertifikat PKCS # 12 ini.
  
    Click the Certificates icon
+
==Generating Certificate for Signing by Recognized CA==
  
    Click the Import button
+
Untuk menjalankan server produksi yang akan terlibat dalam aktivitas komersial, seperti "e-commerce", diperlukan sertifikat, dan ditandatangani oleh Otoritas Sertifikat (CA) yang diakui seperti VeriSign. Proses untuk menghasilkan permintaan sertifikat, dan mendapatkan sertifikat yang ditandatangani oleh CA yang dikenali bisa menjadi sulit. Anda harus menyelesaikan semua dokumen "yang diperlukan" sebelum membuat permintaan sertifikat, dan memastikan semua informasi yang dibutuhkan akurat.
  
    Browse to the location of the certificate file, which is typically a .pfx file type
+
Dengan asumsi anda tidak menginginkan kunci yang di enkripsi dengan password, masukkan perintah berikut untuk membuat kunci pribadi, dan permintaan sertifikat:
  
    Highlight the certificate file, and click the Open button
+
openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
  
    You may be prompted to enter Evolution's certificate database password at this point, or to set an initial certificate database password. Enter the current, or new password as required, confirm it, and click OK
+
Jika anda sudah memiliki kunci yang ingin anda gunakan, gunakan perintah berikut ini:
  
    You will then be prompted to enter the PKCS12 File Password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK
+
openssl req -new -key mykey.pem -out myreq.pem
  
    You should see the certificate, and its details appear in the Your Certificates section of the Evolution Settings window
+
Anda mungkin ingin memverifikasi tanda tangan, dan informasi yang terdapat dalam permintaan sertifikat. Verifikasi tanda tangan dengan perintah ini:
  
    Click the Close button
+
openssl req -in myreq.pem -noout -verify -key mykey.pem
    You have successfully imported the server's client PKCS#12 certificate into Evolution
 
  
Importing a Certificate into Mozilla Thunderbird
+
Dan verifikasi informasi dengan perintah ini:
  
Importation of a PKCS#12 certificate into the Mozilla Thunderbird E-Mail client application is very simple:
+
openssl req -in myreq.pem -noout -text
  
    From within Thunderbird, click Edit > Preferences
+
Langkah selanjutnya biasanya melibatkan menyisipkan konten file permintaan sertifikat ke dalam formulir pendaftaran CA, dan menunggu sertifikat. Selain itu, anda harus melindungi file kunci, karena akan diminta untuk menggunakan sertifikat yang anda terima dari CA.
  
    Click the Advanced icon
+
==Using PKCS#12 Certificates in Client Applications==
  
    Click the Certificates entry in the right pane
+
Bagian panduan ini menjelaskan penggunaan sertifikat PKCS # 12 untuk koneksi SSL dari perspektif klien, dan menunjukkan proses mengimpor sertifikat ke aplikasi Web Browser Firefox, dan beberapa klien E-Mail yang lebih populer.
  
    Click the Manage Certificates button
+
Pengimporan root certificate ke aplikasi memungkinkan koneksi terenkripsi SSL yang terpercaya ke server darimana sertifikat itu datang, bebas dari pesan yang mengganggu tentang sertifikat yang ditandatangani sendiri, dan seterusnya.
  
    Click the Import button
+
===Importing a Certificate into Mozilla Firefox===
  
    Browse to the location of the certificate file, which is typically a .pfx file type
+
Import certificate PKCS#12 ke Mozilla Firefox Web Browser sangat sederhana
  
    Highlight the certificate file, and click the Open button
+
* From within Firefox, click Edit > Preferences
 +
* Click the Advanced icon
 +
* Click the View Certificates button
 +
* Click the Import button
 +
* Browse to the location of the certificate file, which is typically a .pfx file type
 +
* Highlight the certificate file, and click the Open button
  
    You may be prompted to enter Thunderbird's Master Password at this point, or to set an initial Master Password. Enter the current, or new password as required, confirm it, and click OK
+
You may be prompted to enter Firefox's Master Password at this point, or to set an initial Master Password. Enter the current, or net password as required, confirm it, and click OK
  
    You will then be prompted to enter the certificate's Export password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK
+
You will then be prompted to enter the certificate's Export password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK
    A message will appear advising that Thunderbird has "Successfully restored your security certificate(s) and private key(s)"
+
A message will appear advising that Firefox has "Successfully restored your security certificate(s) and private key(s)"
  
    Click OK
+
Click OK
    You have successfully imported the server's client PKCS#12 certificate into Thunderbird
+
You have successfully imported the server's client PKCS#12 certificate into Firefox
  
Importing a Certificate into the System-Wide Certificate Authority Database
+
===Importing a Certificate into Evolution===
  
You can import a CA Certificate into the system-wide database of trusted certificate authorities. Applications that use this database will automatically trust any certificates stored here.
+
Import certificate PKCS#12 ke Evolution E-Mail client sangat sederhana
  
1. Copy your certificate to the system certificate directory. At a terminal prompt, type:
+
* From within Evolution, click Edit > Preferences
 +
* Click the Certificates icon
 +
* Click the Import button
 +
* Browse to the location of the certificate file, which is typically a .pfx file type
 +
* Highlight the certificate file, and click the Open button
  
$ sudo cp mycert.pem /usr/share/ca-certificates/mycert.crt
+
You may be prompted to enter Evolution's certificate database password at this point, or to set an initial certificate database password. Enter the current, or new password as required, confirm it, and click OK
  
2. Edit the ca-certificates configuration file /etc/ca-certificates.conf. Add the name of the file you copied to /usr/share/ca-certificates to the top of the list just after the final "#". For example:
+
You will then be prompted to enter the PKCS12 File Password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK
  
# This file lists certificates that you wish to use or to ignore to be
+
You should see the certificate, and its details appear in the Your Certificates section of the Evolution Settings window
# installed in /etc/ssl/certs.
 
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
 
#
 
# This is autogenerated by dpkg-reconfigure ca-certificates.
 
# certificates shoule be installed under /usr/share/ca-certificates
 
# and files with extension '.crt' is recognized as available certs.
 
#
 
# line begins with # is comment.
 
# line begins with ! is certificate filename to be deselected.
 
#
 
mycert.crt
 
brasil.gov.br/brasil.gov.br.crt
 
cacert.org/cacert.org.crt
 
mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt
 
[... many additional certificates omitted ...]
 
  
Instead of manually editing this file, you can run
+
Click the Close button
 +
You have successfully imported the server's client PKCS#12 certificate into Evolution
  
sudo dpkg-reconfigure ca-certificates
+
===Importing a Certificate into Mozilla Thunderbird===
  
3. Update the CA certificates database by typing:
+
Import certificate PKCS#12 ke Mozilla Thunderbird E-Mail client sangat sederhana:
  
$ sudo update-ca-certificates
+
* From within Thunderbird, click Edit > Preferences
 +
* Click the Advanced icon
 +
* Click the Certificates entry in the right pane
 +
* Click the Manage Certificates button
 +
* Click the Import button
 +
* Browse to the location of the certificate file, which is typically a .pfx file type
 +
* Highlight the certificate file, and click the Open button
  
4. You have successfully imported your certificate into the system CA certificates database.
+
You may be prompted to enter Thunderbird's Master Password at this point, or to set an initial Master Password. Enter the current, or new password as required, confirm it, and click OK
  
Configuring Apache for SSL Support
+
You will then be prompted to enter the certificate's Export password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK
 +
A message will appear advising that Thunderbird has "Successfully restored your security certificate(s) and private key(s)"
  
To configure Apache2 for HTTPS and generate a certificate, follow the instructions in Server Guide - HTTPD and Server Guide - Certificates.
+
Click OK
 +
You have successfully imported the server's client PKCS#12 certificate into Thunderbird
  
Resources
+
===Import Certificate ke System-Wide Certificate Authority Database===
  
Additional resources pertaining to OpenSSL and Secure Sockets Layer appear below.
+
Anda dapat mengimpor Sertifikat CA ke dalam database seluruh sistem otoritas sertifikat yang terpercaya. Aplikasi yang menggunakan database ini secara otomatis akan mempercayai sertifikat yang tersimpan di sini.
  
Local System Resources
+
1. Copy certificate anda ke system certificate directory. Di CLI, ketik,
  
man config
+
$ sudo cp mycert.pem /usr/share/ca-certificates/mycert.crt
 
  
System manual page for the OpenSSL library configuration files
+
2. Edit konfigurasi ca-certificates /etc/ca-certificates.conf. Tambahkan nama file yang anda copy ke /usr/share/ca-certificates ke daftar paling atas, sesudah tanda '#' terakkhir, contoh,
  
man gendsa
+
# This file lists certificates that you wish to use or to ignore to be
+
# installed in /etc/ssl/certs.
 +
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
 +
#
 +
# This is autogenerated by dpkg-reconfigure ca-certificates.
 +
# certificates shoule be installed under /usr/share/ca-certificates
 +
# and files with extension '.crt' is recognized as available certs.
 +
#
 +
# line begins with # is comment.
 +
# line begins with ! is certificate filename to be deselected.
 +
#
 +
mycert.crt
 +
brasil.gov.br/brasil.gov.br.crt
 +
cacert.org/cacert.org.crt
 +
mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt
 +
[... many additional certificates omitted ...]
  
System manual page for the gendsa DSA private key generator
+
Dari pada secara manual mengedit file tersebut, anda dapat menjalankan,
  
man genrsa
+
sudo dpkg-reconfigure ca-certificates
 
  
System manual page for the genrsa RSA private key generator
+
3. Update database CA certificates dengan cara mengetik,
  
man openssl
+
$ sudo update-ca-certificates
 
  
System manual page for the openssl command-line tool
+
4. Anda telah berhasil mengimport your certificate anda ke system CA certificates database.
  
man rand
+
==Konfigurasi Apache untuk SSL Support==
 
  
System manual page for the rand pseudo-random byte generator utility
+
Silahkan baca2
  
man x509
+
* [[OpenSSL: set SSL untuk https di Ubuntu]]
 
  
System manual page for the x509 certificate display and signing utility
+
==Resources==
  
 +
Dapat di ketik di CLI
  
 +
* man config - System manual page for the OpenSSL library configuration files
 +
* man gendsa - System manual page for the gendsa DSA private key generator
 +
* man genrsa - System manual page for the genrsa RSA private key generator
 +
* man openssl - System manual page for the openssl command-line tool
 +
* man rand - System manual page for the rand pseudo-random byte generator utility
 +
* man x509 - System manual page for the x509 certificate display and signing utility
  
 
==Referensi==
 
==Referensi==
  
 
* https://help.ubuntu.com/community/OpenSSL
 
* https://help.ubuntu.com/community/OpenSSL

Latest revision as of 07:13, 15 June 2017

sumber: https://help.ubuntu.com/community/OpenSSL


Tentang OpenSSL

Secure Sockets Layer adalah protokol tingkat aplikasi yang dikembangkan oleh Netscape Corporation untuk tujuan mentransmisikan informasi sensitif, seperti detail Kartu Kredit, melalui Internet. SSL bekerja dengan menggunakan kunci pribadi untuk mengenkripsi data yang ditransfer melalui koneksi SSL-enabled, sehingga menggagalkan penyadapan informasi. Penggunaan SSL yang paling populer adalah bersamaan dengan penjelajahan web (menggunakan protokol HTTP), namun banyak aplikasi jaringan dapat memanfaatkan penggunaan SSL. Dengan konvensi, URL yang memerlukan sambungan SSL dimulai dengan https: bukan http :.

OpenSSL adalah penerapan alat SSL yang tangguh dan komersial, dan perpustakaan tujuan umum yang terkait berdasarkan SSLeay, dikembangkan oleh Eric A. Young dan Tim J. Hudson. OpenSSL tersedia sebagai Open Source setara dengan implementasi komersial SSL melalui lisensi bergaya Apache.

Tentang X.509

X.509 adalah spesifikasi untuk sertifikat digital yang diterbitkan oleh International Telecommunications Union - Telecommunication (ITU-T). Ini menentukan informasi dan atribut yang diperlukan untuk identifikasi seseorang atau sistem komputer, dan digunakan untuk pengelolaan yang aman dan distribusi sertifikat yang ditandatangani secara digital melalui jaringan Internet yang aman. OpenSSL paling sering menggunakan sertifikat X.509.

Penggunaan Praktis OpenSSL

Install OpenSSL Toolkit

Bisa menggunakan perintah

apt install openssl

Biasanya sudah terinstall di distribusi Ubuntu

Install OpenSSL Library

Cek libssl yang ada,

apt-cache search libssl | grep SSL
apt-cache search libssl

Keluar kira-kira

libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
cl-plus-ssl - Common Lisp interface to OpenSSL
libssl-ocaml - OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev - OCaml bindings for OpenSSL
libsslcommon2 - enterprise messaging system - common SSL libraries
libsslcommon2-dev - enterprise messaging system - common SSL development files

Install misalnya,

locale-gen id_ID.UTF-8
apt install libsslcommon2 libsslcommon2-dev libssl-dev libssl1.0.0 libssl1.0.0-dbg

Juga install ca-certificate

apt install ca-certificates

Jika di perlukan untuk java & mono, bisa di install juga

apt install ca-certificates-java
apt install ca-certificates-mono

Install OpenSSL Development Library

Jika dibutuhkan untuk membuat OpenSSL library, kita perlu menginstalasi

apt install libssl-dev

Basic OpenSSL Command

Bagian ini akan membahas perintah OpenSSL dasar. Untuk mengetahui OpenSSL versi yang di instalasi,

openssl version

Untuk melihat sub-command OpenSSL:

openssl help

Untuk mengetahui perintah sub-command, dapat digunakan (misalnya untuk perintah enc),

openssl -h enc

Untuk melihat semua algoritma cipher yang ada:

openssl ciphers -v

Untuk melakukan benchmark kecepatan komputer dengan OpenSSL,

openssl speed

SSL Certificate

Bagian berikut dari panduan ini akan memperkenalkan konsep yang terlibat dalam pembuatan dan penggunaan sertifikat SSL, baik varietas yang ditandatangani sendiri, dan yang ditandatangani oleh otoritas sertifikat yang diakui untuk digunakan dengan aplikasi server yang mendukung SSL, dan penggunaan X. 509 sertifikat dalam aplikasi klien

SSL Certificate untuk menggunaan Server

Setelah anda telah menghasilkan sertifikat SSL yang sesuai dengan X.509, anda dapat memilih untuk menandatangani sertifikat sendiri, dengan membuat Otoritas Sertifikat (Certificate Authority / CA), atau anda dapat memilih untuk memiliki Otoritas Sertifikat yang diakui secara global untuk menandatangani sertifikat. Saat sertifikat ditandatangani, maka sertifikat siap digunakan dengan toolkit OpenSSL, atau library untuk mengaktifkan koneksi SSL terenkripsi ke server, misalnya, Lightweight Directory Access Protoco (LDAP) atau Hyper Text Transport Protocol (HTTP). Bagian panduan ini menjelaskan tentang generasi sertifikat, dan proses penandatanganan untuk sertifikat tanda tangan yang ditandatangani sendiri, dan sertifikat CA yang telah ditandatangani.

Generating dan Signing Self-Signed Certificate

Self-signed Sertifikat memiliki keuntungan besar karena mereka benar-benar bebas untuk menggunakannya, dan dapat dihasilkan, ditandatangani, dan digunakan sesuai kebutuhan. Sertifikat self-signed sangat bagus untuk digunakan di lingkungan laboratorium tertutup atau untuk tujuan pengujian. Salah satu kelemahan menggunakan sertifikat yang ditandatangani sendiri, bagaimanapun, adalah bahwa peringatan biasanya akan dikeluarkan oleh browser Web pengguna, dan aplikasi lainnya, setelah mengakses server SSL-secure yang menggunakan sertifikat yang ditandatangani sendiri. Secara default, aplikasi klien (mis., Firefox) akan menekan peringatan tersebut untuk sertifikat yang ditandatangani hanya dengan menggunakan Otoritas Sertifikat yang diakui secara global dan terpercaya, namun peringatan juga dapat dimatikan dengan mengimpor sertifikat akar server ke aplikasi klien; Demonstrasi yang relevan ditunjukkan nanti dalam panduan ini. Menggunakan sertifikat yang ditandatangani sendiri di lingkungan produksi yang dapat diakses oleh publik tidak disarankan karena adanya masalah kepercayaan implisit yang timbul dari peringatan ini, selain potensi kebingungan pada pengguna.

CATATAN: Anda harus mendapatkan sertifikat yang ditandatangani oleh Otoritas Sertifikat yang diakui untuk membuat situs komersial, mis., Untuk melakukan "e-commerce".

Jika anda telah menginstal toolkit OpenSSL sebelumnya, atau sesuai petunjuk di atas, generasi sertifikat SSL X.509 cukup sederhana. Untuk sertifikat yang ditandatangani sendiri, anda harus terlebih dahulu membuat Otoritas Sertifikat (Certificate Authority / CA) dengan mengikuti langkah-langkah di bawah ini:

Membuat Certificate Authority

Pertama, buat lingkungan kerja awal, misalnya di dalam direktori home anda dengan mengeluarkan perintah berikut dari prompt terminal:

cd
mkdir -p myCA/signedcerts
mkdir myCA/private
cd myCA

Fungsi dari masing-masing directory adalah sebagai berikut,

~/myCA : berisi CA certificate, certificate database, generated certificate, key, dan request
~/myCA/signedcerts : berisi copy dari setiap signed certificate
~/myCA/private : berisi private key 

Selanjutnya buat initial certificate database di ~/myCA subdirectory dengan perintah berikut,

cd ~/myCA
echo '01' > serial  && touch index.txt

Selanjutnya buat caconfig.cnf yang cocok untuk pembuatan CA certificate. Edit,

sudo vi ~/myCA/caconfig.cnf
sudo nano ~/myCA/caconfig.cnf

Isi dengan

# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca      = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir             = /home/<username>/myCA
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/signedcerts
private_key     = $dir/private/cakey.pem
serial          = $dir/serial
#       
#
# Default expiration and encryption policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = sha1
#       
policy          = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
#       
#
# Default policy to use when generating server certificates.  The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied
#       
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
basicConstraints        = CA:false
#       
#
# The default root certificate generation policy.
#
[ req ]
default_bits    = 2048
default_keyfile = /home/<username>/myCA/private/cakey.pem
default_md      = sha1
#       
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions
#
# 
# Root Certificate Authority distinguished name.  Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName              = MyOwn Root Certificate Authority
stateOrProvinceName     = NC
countryName             = US
emailAddress            = root@tradeshowhell.com
organizationName        = Trade Show Hell
organizationalUnitName  = IT Department
#       
[ root_ca_extensions ]
basicConstraints        = CA:true

PENTING:

  • Edit /home/<username>/ di bawah [ local_ca ] and [ req ] sesuai dengan username anda.
  • Ubah commonName, stateOrProvinceName countryName dll di bawah [ root_ca_distinguished_name ] sesuai dengan kondisi anda.
  • Untuk lebih jelasnya, baca2
man config
  • Setelah selesai simpan di ~/myCA/caconfig.cnf.

Untuk mulai membuat Certificate Authority Root Certificate dan Key, lakukan ini pertama kali:

export OPENSSL_CONF=~/myCA/caconfig.cnf

Buat CA, dengan perintah

openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825

You should be prompted for a passphrase, and see output similar to this:

Generating a 2048 bit RSA private key
............................................................................................+++
...........+++
writing new private key to '/home/onno/myCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

Jalan sampai lupa pass phrase yang digunakan! Kita akan membutuhkannya untuk men-generate dan sign server / client certificate!

Proses di atas akan membuat self-signed certificate menggunakan PEM format dan RSA public/private key encryption. Certificate akan valid untuk 1825 hari. Lokasi file yang dihasilkan adalah sebagai berikut,

~/myCA/cacert.pem : CA public certificate
~/myCA/private/cakey.pem : CA private key

Optional Step

Buang semua certificate dan hanya simpan bagian -CERTIFICATE- untuk membuat crt

openssl x509 -in cacert.pem -out cacert.crt

Membuat Self-Signed Server Certificate

Setelah anda memiliki Certificate Authority yang dikonfigurasi, anda dapat menggunakannya untuk menandatangani sertifikat yang ditandatangani sendiri. Sebelum memulai langkah-langkah di bawah ini, anda mungkin ingin mengenkripsi kunci privat sertifikat dengan frasa sandi. Keuntungan mengenkripsi kunci dengan passphrase termasuk perlindungan sertifikat jika dicuri.

Sertifikat tidak dapat digunakan dengan aplikasi berkemampuan SSL tanpa memasukkan frasa sandi setiap kali aplikasi SSL diaktifkan. Kondisi ini, sementara yang paling aman, dapat menimbulkan masalah: Jika server harus dijalankan secara unattended seperti saat komputer restart, maka tidak ada yang akan tersedia untuk memasukkan frasa sandi, dan selanjutnya server tidak akan memulai . Salah satu cara untuk menghilangkan kondisi ini melibatkan trade-off dalam keamanan: Kunci dapat didekripsi, untuk menghapus kebutuhan passphrase; Dengan demikian, aplikasi yang mengaktifkan SSL akan dimulai secara otomatis, tanpa perlu memasukkan frasa sandi.

Untuk benar-benar menghasilkan sertifikat yang ditandatangani sendiri untuk digunakan dengan aplikasi SSL, ikuti proses ini:

Buat server configuration file, dengan mengedit

vi ~/myCA/exampleserver.cnf
nano ~/myCA/exampleserver.cnf

Tambahkan content berikut,

#
# exampleserver.cnf
#

[ req ]
prompt                  = no
distinguished_name      = server_distinguished_name
req_extensions          = v3_req

[ server_distinguished_name ]
commonName              = tradeshowhell.com
stateOrProvinceName     = NC
countryName             = US
emailAddress            = root@tradeshowhell.com
organizationName        = My Organization Name
organizationalUnitName  = Subunit of My Large Organization

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alt_names

[ alt_names ]
DNS.0                   = tradeshowhell.com
DNS.1                   = alt.tradeshowhell.com


Pastikan ubah nilai yang ada di bagian server_distinguished_name terutama commonName. Nilai commonName harus persis sama dengan hostname, atau CNAME mesin yang akan di beri key. Jika commonName tidak cocok dengan hostname yang dimaksud, maka error host / certificate mismatch akan muncul di aplikasi client saat client berusaha akses ke server.

Setelah file di edit, simpan di ~/myCA/exampleserver.cnf. Buat server certificate, dan key dengan perintah berikut,

export OPENSSL_CONF=~/myCA/exampleserver.cnf

Perhatikan nilai OPENSSL_CONF di ubah ke ~/myCA/exampleserver.cnf. Buat certificate, dan key:

openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM

You should be prompted for a passphrase, and see output similar to this:

Generating a 1024 bit RSA private key
....................................................++++++
...............................++++++
writing new private key to 'tempkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

Jangan sampai lupa passphrase!

Selanjutnya, convert temporary private key ke unencrypted key menggunakan perintah berikut,

openssl rsa < tempkey.pem > server_key.pem

Anda akan ditanya passphrase seperti yang digunakan di atas,

Enter pass phrase:
writing RSA key

Jika anda ingin agar key tetap di enkripsi dengan passphrase, silahkan rename temporary key menggunakan perintah berikut,

mv tempkey.pem server_key.pem

PERHATIAN: Jika kita menggunakan server key yang di enkripsi dengan password, password harus di harus dimasukan setiap kali server yang menggunakan key yang terenkripsi ini di jalankan. Ini berarti aplikasi server tidak akan jalan kecuali seseorang, atau sesuatu / ada script yang memasukan password dari key tersebut.

Selanjutnya, kita perlu menanda tangan server certificate dengan Certificate Authority (CA) key menggunakan perintah berikut:

export OPENSSL_CONF=~/myCA/caconfig.cnf

Kita mengubah konfigurasi agar kembali ke ~/myCA/caconfig.cnf karena kita akan berfungsi sebagai CA. Tanda tangan certificate sebagai berikut,

openssl ca -in tempreq.pem -out server_crt.pem

Anda akan ditanyakan passphrase dari CA key, masukan passphrase tersebut, anda di minta untuk mengkonfirmasi informasi yang ada di exampleserver.cnf, dan terakhir konfirmasi untuk menanda tangani certificate. Outputnya kira-kira sebagai berikut,

Using configuration from /home/onno/myCA/caconfig.cnf
Enter pass phrase for /home/onno/myCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'tradeshowhell.com'
stateOrProvinceName   :ASN.1 12:'NC'
countryName           :PRINTABLE:'US'
emailAddress          :IA5STRING:'root@tradeshowhell.com'
organizationName      :ASN.1 12:'My Organization Name'
organizationalUnitName:ASN.1 12:'Subunit of My Large Organization'
Certificate is to be certified until Jun 10 01:03:36 2022 GMT (1825 days)
Sign the certificate? [y/n]:y
 

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Remove / buang temporary certificate, dan key menggunakan perintah berikut,

cd ~/myCA/
rm -f tempkey.pem
rm -f tempreq.pem

Selamat! Anda sekarang sudah mempunyai self-signed server application certificate, dan private key pasangannya:

server_crt.pem : Server application certificate file
server_key.pem : Server application key file

Optional Step untuk Certain Server Application

Beberapa aplikasi server, seperti Courier IMAP mail server application membutuhkan unencrypted private key di tambahkan pada server certificate. Ini dapat dilakukan menggunakan perintah,

cat server_key.pem server_crt.pem > hold.pem
mv      hold.pem server_crt.pem
chmod   400      server_crt.pem

Mengubah X.509 Certificate ke PKCS#12 untuk aplikasi Client

Jika anda bermaksud untuk membuat PKCS#12 certificate dari server Root CA X.509 certificate untuk penggunaan client, anda perlu melakukan proses berikut untuk server certificate dan pasangan kunci tersebut, untuk export sebuah client certificate.

Membuat sebuah file berisi kedua-nya certificate dan key dengan perintah berikut,

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

Kemudian, konversikan file kombinasi certificate / key ke PKCS#12 certificate menggunakan perintah,

openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for Whatever"

Anda akan ditanyakan Export password, yang bisa anda isi, atau biarkan kosong.

File mycert.pfx yang dihasilkan sekarang dapat diimpor ke aplikasi seperti Web Browsers, dan klien E-Mail. Karena sertifikat ini mewakili sertifikat Root CA dari server anda, semua sertifikat tingkat server berikutnya yang ditandatangani oleh sertifikat CA juga akan diterima secara otomatis oleh aplikasi klien yang menginstal sertifikat PKCS # 12 ini.

Generating Certificate for Signing by Recognized CA

Untuk menjalankan server produksi yang akan terlibat dalam aktivitas komersial, seperti "e-commerce", diperlukan sertifikat, dan ditandatangani oleh Otoritas Sertifikat (CA) yang diakui seperti VeriSign. Proses untuk menghasilkan permintaan sertifikat, dan mendapatkan sertifikat yang ditandatangani oleh CA yang dikenali bisa menjadi sulit. Anda harus menyelesaikan semua dokumen "yang diperlukan" sebelum membuat permintaan sertifikat, dan memastikan semua informasi yang dibutuhkan akurat.

Dengan asumsi anda tidak menginginkan kunci yang di enkripsi dengan password, masukkan perintah berikut untuk membuat kunci pribadi, dan permintaan sertifikat:

openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Jika anda sudah memiliki kunci yang ingin anda gunakan, gunakan perintah berikut ini:

openssl req -new -key mykey.pem -out myreq.pem

Anda mungkin ingin memverifikasi tanda tangan, dan informasi yang terdapat dalam permintaan sertifikat. Verifikasi tanda tangan dengan perintah ini:

openssl req -in myreq.pem -noout -verify -key mykey.pem

Dan verifikasi informasi dengan perintah ini:

openssl req -in myreq.pem -noout -text

Langkah selanjutnya biasanya melibatkan menyisipkan konten file permintaan sertifikat ke dalam formulir pendaftaran CA, dan menunggu sertifikat. Selain itu, anda harus melindungi file kunci, karena akan diminta untuk menggunakan sertifikat yang anda terima dari CA.

Using PKCS#12 Certificates in Client Applications

Bagian panduan ini menjelaskan penggunaan sertifikat PKCS # 12 untuk koneksi SSL dari perspektif klien, dan menunjukkan proses mengimpor sertifikat ke aplikasi Web Browser Firefox, dan beberapa klien E-Mail yang lebih populer.

Pengimporan root certificate ke aplikasi memungkinkan koneksi terenkripsi SSL yang terpercaya ke server darimana sertifikat itu datang, bebas dari pesan yang mengganggu tentang sertifikat yang ditandatangani sendiri, dan seterusnya.

Importing a Certificate into Mozilla Firefox

Import certificate PKCS#12 ke Mozilla Firefox Web Browser sangat sederhana

  • From within Firefox, click Edit > Preferences
  • Click the Advanced icon
  • Click the View Certificates button
  • Click the Import button
  • Browse to the location of the certificate file, which is typically a .pfx file type
  • Highlight the certificate file, and click the Open button

You may be prompted to enter Firefox's Master Password at this point, or to set an initial Master Password. Enter the current, or net password as required, confirm it, and click OK

You will then be prompted to enter the certificate's Export password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK A message will appear advising that Firefox has "Successfully restored your security certificate(s) and private key(s)"

Click OK
You have successfully imported the server's client PKCS#12 certificate into Firefox

Importing a Certificate into Evolution

Import certificate PKCS#12 ke Evolution E-Mail client sangat sederhana

  • From within Evolution, click Edit > Preferences
  • Click the Certificates icon
  • Click the Import button
  • Browse to the location of the certificate file, which is typically a .pfx file type
  • Highlight the certificate file, and click the Open button

You may be prompted to enter Evolution's certificate database password at this point, or to set an initial certificate database password. Enter the current, or new password as required, confirm it, and click OK

You will then be prompted to enter the PKCS12 File Password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK

You should see the certificate, and its details appear in the Your Certificates section of the Evolution Settings window

Click the Close button
You have successfully imported the server's client PKCS#12 certificate into Evolution

Importing a Certificate into Mozilla Thunderbird

Import certificate PKCS#12 ke Mozilla Thunderbird E-Mail client sangat sederhana:

  • From within Thunderbird, click Edit > Preferences
  • Click the Advanced icon
  • Click the Certificates entry in the right pane
  • Click the Manage Certificates button
  • Click the Import button
  • Browse to the location of the certificate file, which is typically a .pfx file type
  • Highlight the certificate file, and click the Open button

You may be prompted to enter Thunderbird's Master Password at this point, or to set an initial Master Password. Enter the current, or new password as required, confirm it, and click OK

You will then be prompted to enter the certificate's Export password. If there is no such password attached to the certificate, simply click OK, otherwise enter the password, and click OK A message will appear advising that Thunderbird has "Successfully restored your security certificate(s) and private key(s)"

Click OK
You have successfully imported the server's client PKCS#12 certificate into Thunderbird 

Import Certificate ke System-Wide Certificate Authority Database

Anda dapat mengimpor Sertifikat CA ke dalam database seluruh sistem otoritas sertifikat yang terpercaya. Aplikasi yang menggunakan database ini secara otomatis akan mempercayai sertifikat yang tersimpan di sini.

1. Copy certificate anda ke system certificate directory. Di CLI, ketik,

$ sudo cp mycert.pem /usr/share/ca-certificates/mycert.crt

2. Edit konfigurasi ca-certificates /etc/ca-certificates.conf. Tambahkan nama file yang anda copy ke /usr/share/ca-certificates ke daftar paling atas, sesudah tanda '#' terakkhir, contoh,

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# certificates shoule be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mycert.crt
brasil.gov.br/brasil.gov.br.crt
cacert.org/cacert.org.crt
mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt
[... many additional certificates omitted ...]

Dari pada secara manual mengedit file tersebut, anda dapat menjalankan,

sudo dpkg-reconfigure ca-certificates

3. Update database CA certificates dengan cara mengetik,

$ sudo update-ca-certificates

4. Anda telah berhasil mengimport your certificate anda ke system CA certificates database.

Konfigurasi Apache untuk SSL Support

Silahkan baca2

Resources

Dapat di ketik di CLI

  • man config - System manual page for the OpenSSL library configuration files
  • man gendsa - System manual page for the gendsa DSA private key generator
  • man genrsa - System manual page for the genrsa RSA private key generator
  • man openssl - System manual page for the openssl command-line tool
  • man rand - System manual page for the rand pseudo-random byte generator utility
  • man x509 - System manual page for the x509 certificate display and signing utility

Referensi